Using Policy-Based routing on a VLAN interface

Unanswered Question
Sep 12th, 2008

Howdy-

We have an open wireless network which requires use of a VPN in order to authenticate and then connect anywhere.

Many folks are unaware of the VPN requirement, and don't understand that they need to use the VPN.

Therefore, we are trying to redirect all web traffic on our wireless VLAN to a specific web page with information on the VPN and how to get it.

We are using Policy-Based routing on the VLAN interface for the Wireless subnet in order to redirect all web traffic to this web page, which is set up to capture this traffic and display the information.

However it is not working; we see hits on the access-list but the redirect does not work.

Here's the config we are using:

access-list 156 deny tcp any any neq www

access-list 156 permit tcp any any

!

route-map redirect permit 10

match ip address 156

set ip next-hop 132.198.201.25

int vlan 155

description wireless network

ip address 192.168.1.1 255.255.255.0

ip policy route-map redirect

Does PBR not work on VLAN interfaces?

FWIW the Vlan interface is on a 6513 running hybrid mode.

We can connect to the web page at 132.198.201.25 if we enter that URL manually, so we know we've got connectivity.

Thanks for any suggestions!

Lynne

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Fri, 09/12/2008 - 04:21

i think ur acl should looks like

access-list 156 permit tcp any any eq www

and if u can get a wireless controlar or do this web authentication or instraction through the wireless device will be better

good luck

lynne.meeks Fri, 09/12/2008 - 05:03

Thanks for your feedback.

I think the acl is ok, since we first deny any traffic that is NOT web, the only traffic left should be web. But we can give it a try.

We had looked into doing the redirect with the LWAPP controllers. However, we don't want to do web authentication instead of the VPN since it is not a secure connection, and the controller will only let you use a web redirect IF you are doing 802.1x or web authentication...

Actions

This Discussion